The World Wide Web Consortium and the FIDO Alliance Tuesday unveiled a new standard designed to bring stronger authentication for websites and potentially displace passwords.

After quietly agreeing last month to certify the WebAuthn protocol as a Candidate Recommendation for the web, the World Wide Web Consortium (W3C) and the FIDO Alliance are now promoting the protocol as a tool for securely authenticating users on the web using security tokens or biometrics, like fingerprints or facial recognition. WebAuthn, short for the Web Authentication API, is a product of the W3C’s Web Authentication working group working in concert with the FIDO Alliance.

The move is the first step toward a standard approach to implementing strong, multifactor authentication across all major web browsers, without a need for organizations to build new frameworks for MFA. Google, Microsoft and Mozilla have all pledged to support the new WebAuthn standard.

Michael Jones, director of identity partnerships at Microsoft and one of the co-editors of the WebAuthn specification, gave a preview of the recommendation in a W3C blog post published last month. “This is a major step towards enabling practical, strong, privacy-preserving authentication on the Web,” Jones wrote. “Web Authentication is a challenge-response protocol employing strongly secure public key cryptography, with per-website key pairs, rather than the simple presentation of phishable, possibly re-used, passwords.”

The WebAuthn API specification’s move to Candidate Recommendation means the W3C’s standards process recognizes WebAuthn as having been reviewed widely and satisfied the technical requirements initially set by the WebAuthn working group; this is the second level of the W3C standards process. WebAuthn was promoted from its status as a working draft and, once it has been found to be technically sound, may eventually be promoted to the third stage in the standards process as a Proposed Recommendation. The final stage is W3C Recommendation status, and it’s reserved for protocols that are recommended to be deployed widely.

Another website authentication tool

The WebAuthn API specification can work via a web browser or an external authenticator, such as a mobile device or security key. “This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users,” according to the specification abstract.

Brett McDowell, executive director of the FIDO Alliance, told SearchSecurity by email that “WebAuthn provides a standard web browser JavaScript API that enables any website to update its login pages to add a new option for ‘login with FIDO.'” McDowell noted that while he couldn’t predict how websites would use the new API, adding a “login with FIDO” option would be “a reasonable expectation based on the fact many mobile apps already use ‘login with fingerprint’ on their user interfaces already. WebAuthn simply allows that same experience to be easily extended to websites and no longer limited to downloaded apps.”

McDowell said he expects most websites will start out by offering FIDO authentication in addition to whatever authentication method they currently offer. “But over time, as websites evaluate how FIDO Authentication is impacting their fraud numbers, user support costs [and] checkout conversion rates, I expect we will see websites start to deprecate their password options and rely entirely on device-based FIDO Authentication, especially as [the internet of things] organically increases the number of internet-connected devices we interact with every day.”

Implementing the WebAuthn protocol

The major browsers have already begun implementing the WebAuthn API specification. Microsoft announced in February that its Edge browser would begin supporting it along with Windows Hello. Google demonstrated seamless payments over Chrome last year, and Mozilla has already rolled out support in Firefox version 60.

McDowell explained that supporting the new WebAuthn standard for FIDO Authentication requires updating the web browser, the device on which the browser is running and the website doing the authentication.

“Websites do need to do more than just update the JavaScript on their login pages,” he added. “They also need to build support for the WebAuthn standards into their authentication infrastructure so they can process the new standard messages that the web browser will pass between the user’s device and the website’s server.”